I am studying hash functions. I can understand why collision resistance implies second preimage resistance, but I don't get why second preimage resistance should imply first preimage resistance.

Could anybody be help me with this argument from Introduction to Modern Cryptography by Katz & Lindell, please?

Collision resistance: This is the strongest notion and the one we have considered so far.

Second pre-image resistance: Informally speaking, a hash function is second pre-image resistant if given $s$ and $x$ it is infeasible for a probabilistic polynomial-time adversary to find $x' \ne x$ such that $H^s(x') = H^s(s)$.

Pre-image resistance: Informally, a hash function is pre-image resistant if given $s$ and $y = H^s(x)$ (but not $x$ itself) for a randomly chosen $x$, it is infeasible for a probabilistic polynomial-time adversary to find a value $x'$ such that $H^s(x') = y$. (Looking ahead to later chapters in the book, this essentially means that $H^s$ is one-way.)

[...] Likewise, any hash function that is second pre-image resistant is also pre-image resistant. This is due to the fact that if it is possible to invert
$y$ and find an $x^\prime$ such that $H^s (x^\prime ) = y$ then it is possible to take $x$, compute
$y = H^s (x)$ and invert it again obtaining $x^\prime$. Since the domain of $H$ is infinite,
it follows that with good probability $x \neq x^\prime$. We conclude that the above
three security requirements form a hierarchy with each definition implying
the one below it.

It doesn't. So where did you find that claim?
–
CodesInChaos♦Sep 27 '13 at 18:57

For example consider the pathological 512 hashfunction that concatenates the first 256 bits of the input with the output of a a secure 256 bit hashfunction. This isn't first pre-image resistant, but has 256 bits of second pre-image resistance.
–
CodesInChaos♦Sep 27 '13 at 19:00

1

@CodesInChaos I found this claim in the page 130 of the book of Jonathan Katz and Yehude Lindell (Introduction to Modern Cryptography)
–
juaninfSep 27 '13 at 19:09

2 Answers
2

Let me try to elaborate on their proof. Suppose you had a hash function $H$ that was second-preimage resistant but not first-preimage resistant. By showing that this leads to a contradiction, we will be showing that with second-preimage resistance, you must have first-preimage resistance. Namely, we will show that the lack of first-preimage resistance is enough to break second-preimage resistance.

When breaking second-preimage resistance, we are given a random $x$ and the goal is to find another $x' \ne x$ such that $H(x') = H(x)$. Suppose we are given a random $x$. Then we can compute $H(x)$ and then use our preimage-finding algorithm (since this hash function isn't first-preimage resistant, remember?) to find an input $x'$ such that $H(x') = H(x)$.

The question becomes whether or not $x' = x$. For a hash function with an infinite domain, there are infinitely many inputs that $H$ maps to the same output. That is, there exist infinitely many second-preimages for any particular $x$; the question is whether or not we can find one.

Intuitively, the preimage-finding algorithm "should" give back an $x' \ne x$. After all, there are infinitely many inputs that map to the same output as $x$, so the probability that we find the exact $x$ we were given "should be" low, right?

So we should have an $x' \ne x$ such that $H(x') = H(x)$. But this is a second preimage! Thus, assuming that $x'$ indeed does not equal $x$, we cannot have a hash function that has second-preimage resistance but not first-preimage resistance. Thus, second-preimage resistance must imply first-preimage resistance. This is not a formal proof: just an intuitive argument.

The crucial assumption in this "proof" is that the domain is infinite. If it were not infinite, then all bets are off. In that case, the output size of the hash function needs to be sufficiently small relative to the input size for this argument to hold. I've written about that idea in great detail on my answer on the question "Pre-image resistant but not 2nd pre-image resistant?", so I refer you to that for more technical details.

I gave that example over a year ago. $\;$
–
Ricky DemerApr 22 at 23:28

1

@Ricky Didn't see it as an answer. Not sure what you're trying to accomplish with this comment.
–
scamposApr 22 at 23:59

1

I don't think what @scampos has done necessarily deserves a deletion. See this question on meta.SE. We have also discussed this sort of thing on our Meta. At the very least, the answer expands slightly (add some mathematical notation, etc) to Ricky's comment.
–
mikeazo♦Apr 23 at 12:28

1

I don't really agree with this answer, because to me, the identity function is not a hash function. Look at the definitions of hash function and cryptographic hash function on Wikipedia. I see problems with the identity function with relation to both of those definitions.
–
mikeazo♦Apr 23 at 12:31

@mikeazo Thank you for the vote of confidence, and I agree with you taking issue about this deviating from some of the accepted definitions of a hash. I've edited the answer to fix some of those issues. Although I wouldn't go so far as to hold it up against the definition of a cryptographic hash, since that includes collision resistance and both image resistances.
–
scamposApr 24 at 11:11